I have a pretty good understanding of X509 cryptography etc, from my career in the smart card industry. So I know that the card scheme (e.g. Visa, MasterCard) is the highest level of trust - they sign ...

I read about msfencode and I am confused - how can I encode Windows executable with msfencode and how can I decode it in any langauge like C++ or C#? If I try
msfencode -i /root/desktop/calc.exe -a ...

Is there an implementation of Authenticated encryption for .NET applications?
The AES API from .NET does not include mode such as GCM. In the documentation, I can only see insecure modes (ECB, CBC, ...

I have several fields in a database table I would like to encrypt, but I would like to do it in a way that would allow me to easily change the encryption key every n months for security reasons.
My ...

How can I restrict users from spamming my web service by sending thousands of requests?
My web service is actually protected by a validation token only accessible through authentication, but I still ...

I'm working on implementing an IP-filter which blocks all requests by machines outside our IP-range. This is for an asp.net project (written in c#).
I've read on multiple forums that the safest way ...

I'm going to write a Client/Server application. There are some ambiguous concepts in this that I was not able to get answer to after many hours of searching.
As we all know one of the major caveats ...

.NET AppDomains provide several levels of isolation for untrusted or partially trusted code. The AppDomain sandbox is widely deployed in ASP.NET and Silverlight, although only the latter of these is ...

I am connecting to a SOAP webservice that requires SSL authentication. I (the web service client) have a .pfx file and provided the public certificate for that file to the company whose web service I ...

I'm writing a piece of software which will have to store a users password to allow authentication with a 3rd Party service. Unfortunately, this service currently requires the use of a password rather ...

It is normal to list some extra-secure compiler options to prevent attacks on C and C++. However, I have not found any similar recommendations for C#. Are compiler options simply not relevant to C# ...

When my users are authenticated they receive an authentication token, I need to use this authentication token to authorize some asp.net WebAPI calls. To do this I need to add the token to the head of ...

.Net has a feature called request validation which detects malicious inputs and blocks the request.
By its nature, request validation is not a precise science. OWASP clearly recommend to only rely on ...

Been trying to wrap my head around oAuth 2.0, but I'm struggling figure out the correct way to implement it for our system, as there are so many different approaches.
Our specifications are:
Secure ...

I'm not very familiar with encryption and new to this, I'm just learning it right now by code review of one of the class we have in an application to encrypt a password using AES. Would anyone explain ...

To start with, I am dangerously bad at security. I am aware of this, which is why I'm asking for help to figure this out.
I have a POCO object, which is exposing an ICollection of a model object, so ...

During coding, I have used both MD4 and MD5 encryption techniques. But there hasn't been any noticeable security difference between either of them. And yet, most of them prefer MD5, in fact specify ...

Does encrypting a value in the web.config file actually provide any real protection? It seems to me that any web app can read that setting. Yes that's more work than just reading the web.config file, ...

I assume that the best way to handle passwords for a website is I create a hash of the password and save that hash in my database. Then when someone tries to login, I do a hash of the password they ...

We need to provide a license key to customers for our application. The actual license is XML but we need to encrypt it and then in our program decrypt it. I think it is the following, but am asking to ...

I saw some suspicious errors being generated on my site based on pages that were requested. My error is logging the path that the user is trying to access. Because of these errors (and the paths that ...

Hello my team is tasked to perform security focused training for developers (.NET and JAVA). I have used WebGoat to demonstrate OWASP Top 10 type security vulnerabilities and am looking for a similar ...

I have a very simple app that does allow unauthenticated users to leave comments (maybe later I will incorporate a capatcha). The app then stores the comments in a mysql db. I do my best to filter out ...

Suppose I have this scenario:
User --> Inputs License Key --> I validate it --> If success, good, move onto main window. If not, prompt the user to reenter the license key.
The license key will not ...